Careful before installing that mobile app on your iOS or Android device. Mobile applications are riddled with vulnerabilities, according to research from security company Positive Technologies.
The news won’t come as much of a shock to anyone who has read GPEN’s 2014 study of app privacy failings; IOActive’s 2013 study of banking app security, nor its follow up in 2015, nor it’s investigation of stock trading app security in 2017; nor Arxan’s 2019 look at banking and finance app security.
Positive Technologies, which provides vulnerability management and threat analysis tools, reviewed 17 mobile apps in depth to see how secure they were. It found high-risk vulnerabilities in 43% of the Android apps. iOS fared only slightly better, with 38% of apps containing high-risk flaws.
Insecure data storage was the biggest security risk by far, found in 76% of applications. Examples of this flaw included storage of authentication PINs on the mobile device instead of on the server, increasing the risk of a leak – something 53% of applications were guilty of.
Another common mistake was the use of insecure snapshots. These are images that the smartphone takes to remember software’s current state when the user switches to another application. Apps should mask sensitive data such as credit card numbers when creating these snapshots to avoid the data leaking, but 65% failed to do so, said the report.
Insecure transmission of sensitive data and incorrect session management came in joint second, at 35%. Examples of insecure data transfer include the use of insecure HTTP communications, the report said. However, it added that insecure data transfer is far less common on iOS, probably due to the introduction of protective measures in iOS 9. We told you last year about Android apps’ problems with insecure oversharing.
The researchers pointed out that the software installed on mobile devices themselves is only one part of the equation. The other is the server component that the application talks with. These server-side apps are fruitful attack points for hackers, the report warned, explaining:
Protection of mobile application servers is no better than that of clients
Every server-side component that the researchers tested had at least one vulnerability that would enable an attack on a user.
These vulnerabilities included cross-site scripting (XSS) flaws (by far the most common at 86%). Information leakage, poor authorization, and the leaking of sensitive information in error messages all came in joint second at 43% each.
Examples of these flaws included sending a person’s full name and phone number in a server response during chat sessions. One app included a session ID in a document link, allowing attackers to hijack the legitimate user’s server session.
Another common high-risk server-side vulnerability was misconfiguration. For example, a server might have TRACE requests enabled (this is a feature that echoes HTTP requests back to the user for debugging purposes). That, combined with a cross-side scripting (XSS) vulnerability, could allow an attacker to steal cookies, said the report.
While developers are ultimately responsible for buggy applications, some users must share culpability, warned the company, for example, those who escalate their OS privileges on purpose (known as jailbreaking on iOS devices or rooting on Android ones) to sideload software or customize their interface. This can give an application unfettered access to the underlying system and data.
The report concluded:
Most of the discovered vulnerabilities were introduced during the design stage and result from failure to “think through” security-related questions. We recommend a methodical approach to designing and following through on mobile application security, regularly testing it starting from Day 1 of the software lifecycle.
Steve J
Is there a link to the research? The one in the article navigates to the positive technologies about page. I clicked around but did not find it.
Mark Stockley
I’ve fixed the link in the article. The research can be found here:
https://www.ptsecurity.com/ww-en/analytics/mobile-application-security-threats-and-vulnerabilities-2019/
John Connor
What do we do? How do we mitigate this? Does uninstalling them fix the problem or do we need to hard reset our phones after that? Is it possible that they’re putting something that can survive a hard reset, like a Trojan that survives Apple reset?
Mark Stockley
This isn’t one problem and so there’s no single answer. The research is speaking generally, suggesting that the standard of programming isn’t good enough when it comes to security – best practices are not being followed. There is, sadly, not much you can do about it, but it isn’t like getting malware on your phone.
In general, only install the apps you absolute need, don’t jailbreak and patch promptly.
John
You should check into the real underlying problem in the politics that is involved in it, and just like the politics that we hear in the news as to all the anti government scrabble. The tech companies and the apps will tout a big anti government claim, until someone comes along and toggles their end of the ordeal which in turn spins them to cry to the government for help. And it isn’t just by accident that this occurs they do it deliberately with intent. Obstruction charges should be leveled their way, and not just to the tech companies but to the two political parties who are attempting to use the situation to monopolize on it. One big cluster F.
Matt Parkes
You refer to Cross Site Scripting as CSS it should be XSS
Mark Stockley
Correct, fixed, thanks.